Reverse Shell

Reverse Shell 1.93 (2006/11/23)
Short
A tool to create Secure/Remote shell tunnel and then start commands/shells
on tunnel destination machine to be executed on tunnel originating machine.
Warning
Is is quite easy to weaken the security of your network with this
tool (like make holes to a firewall). Know what you are doing
when using this tool.
Usage
Usage: revsh [-d] [-l username] host command
With command `shell' interactive shell session is started.
If 'host' is ssh2, ssh, lsh or rsh, then that "host" is used
as tunnel creation command instead and rest of the arguments
are given to that command (-l username is then in format
-l user[@host]).
The option -d is only used with tunnel creation command;
program goes background after tunnel successfully created.
Read ssh2(1), ssh(1), lsh(1), rsh(1) manual pages for companion information.
RevSH limitations
revsh (it was then revcmd) was originally a quick & dirty tool to access
CVS repository through a firewall so that ordinary users could grant the
access by just running revsh to create a tunnel. Not much thought was
given on design. (Not!) suprisingly, it still took more time to get
simplest things working that was originally thought.
* No flow control. Revsh provides multiplexed data "pipes" but doesn't
control the traffic. So one datastream can make other "connections"
work jerky. This usually isn't a problem. If program that receives
data blocks reading for longer than 900 ms it will be killed.
(originally this limit was 50ms, but Nokia 770 could not handle that).
To fix this would require rewrite of big parts of the code.
* Communication between revsh-client and revsh-forwarder (the revsh
components running on remote host where revsh tunnel is created...
is (also) just simple datastreams; client cannot receive any "metadata",
like program exit values or so on. Also client cannot provide window
size changes, signals or anything to the commands running under revsh-server.
Using some communication protocol between revsh-cliend and revsh-forwarder
could be used to fix this. This requiress much less rewrites as in above.
* Currently revsh-client and revsh-forwarder parts can only be run on Linux
system since other OSses does not return POLLHUP in .revents.
revsh-server (i.e. revsh tunnel originating component) can be run on
other OSses than linux
Using communication protocol like above could be used to fix this issue
as well.
* revsh-shell does not have escape character.
Requires revsh-client tunes. There are options to avoid no-flow-control
problems, but implementing flow control would definitely help here.
* The system is limited to 125 multiplexed "connections" through one
revsh tunnel connection. Should not be a big problem.
* Program requires openpty() function to compile. It would not be too
difficult to copy openpty() implementation and compile that when there
is no support by some libraries around. Good candidates where to copy
are dtach(1) and ssh(1) source code.
Nevertheless, RevSH is perfectly suitable for the usual cases users needs it.
Quick start
(orig: commands executed on tunnel originating machine,
dest: commands executed on tunnel destination machine)
orig 1 $ wget http://www.iki.fi/too/sw/revsh/revsh.c
orig 2 $ sh revsh.c
orig 3 $ cp revsh /path/to/bindir/in/PATH/
---
dest 1 $ wget http://www.iki.fi/too/sw/revsh/revsh.c
dest 2 $ sh revsh.c
dest 3 $ cp revsh /path/to/bindir/in/PATH/
---
orig 4 $ revsh ssh2 dest
---
dest 4 $ revsh orig ls
dest 5 $ revsh orig shell
dest 6 $ SVN_SSH=revsh svn co svn+ssh://orig/path/to/svn/projects/revsh
---
(ctrl-c on orig machine)
orig 5 $ revsh -l foo@bar ssh2 dest
---
dest 7 $ revsh -l foo bar ls
dest 8 $ revsh foo@bar hostname
Program description
In order to work, revsh has the following 4 modes of operation:
revsh_server: "Server" mode. This mode is chosen when ssh2, ssh, lsh or rsh
is given as host (fsh could be added too, but...;). In this mode,
tunnel to remote host is created and then program starts waiting
for messages from frontend.
revsh_forwarder: In this mode revsh is started as tunnel endpoint to
revsh_server. This mode is chosen when environment variable
REVSH_DAEMON_SOCKET_FILE is defined. revsh_server sets this up when
creating tunnel with the following trick (compare to orig 5 $ above):
ssh2 dest REVSH_DAEMON_SOCKET_FILE=foo@bar revsh
revsh_client: In this mode revsh works like ssh2, ssh, lsh and rsh works
normally. This mode is chosen if neither of the above (and the next)
modes is not. revsh tries to connect to the unix socket in file
/tmp/revsh-/@ and if succeeds, expects to be
communicating with revsh_forwarder. After version check it passes the
command line arguments to revsh_forwarder. revsh_forwarder in turn,
creates "channel" with revsh_server, passes given information for
revsh_server to be executed and passes input/output(/error) streams
between revsh_server and revsh_client so that reverse shell works
as much like secure shell and remote shell.
revsh_shell: This is a special mode, which purpose on tunnel destination
machine is to restrict access to revsh_front only. This mode is
chosen when SHELL environment variable contains string "revsh".
This happens when user shell in /etc/passwd contains full path
to revsh instead of standard shell, like bash or zsh. I have the
following in my /etc/passwd:
too:x:501:501:Tomi Ollila:/p/home/too:/bin/zsh
toorcmd:x:501:501:Tomi Ollila RevSH:/tmp/revsh-501:/p/bin/revsh
With secure shell authorization keys I can ask users to create tunnel
for me, without allowing to execute anything else on my machine.
TODO
- Reporting exit values of commands / shells.
- Info remote program about window size change (when in shell mode).
- Have escape character when in shell mode in revsh_command.
- Change revsh_client HANGUP checking to support other than Linux.
- Implement openpty() for systems it doesn't have one.
- Shell mode should be possible without giving 'shell' on command line.
- That's all for now. Add more documentation is the last TODO entry.
2006/02/02 Tomi Ollila